Security for automotive electrical/electronic (E/E) architectures
The increasing connectivity among vehicles increases their attack surface and challenges their security. This thesis explores approaches to improve analysis and design of security for invehicle networks. Therefore, a design time security analysis, a runtime authentication and authorization framew...
Saved in:
Main Author: | |
---|---|
Other Authors: | |
Format: | Theses and Dissertations |
Language: | English |
Published: |
2018
|
Subjects: | |
Online Access: | https://hdl.handle.net/10356/88401 http://hdl.handle.net/10220/45957 |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
Institution: | Nanyang Technological University |
Language: | English |
Summary: | The increasing connectivity among vehicles increases their attack surface and challenges their
security. This thesis explores approaches to improve analysis and design of security for invehicle
networks. Therefore, a design time security analysis, a runtime authentication and
authorization framework, and a flexible scheduling scheme, efficiently enabling security on
FlexRay are presented. The infotainment system of an electric taxi is introduced as a design
experience to demonstrate the necessity of new approaches in automotive security.
Vehicles today include a large number of electronics in form of Electronic Control Units
(ECUs). These ECUs are interconnected in internal vehicle networks implementing distributed
control tasks. With the trend of rising interconnectivity and the Internet of Things (IoT), these
in-vehicle networks are increasingly connected to other vehicles and the Internet. While the
internal vehicle networks are shielded with gateways and firewalls, these protection mechanisms
are not impenetrable. As for these external interfaces the same protection mechanisms as on the
Internet are used, the same types of attacks can be applied. Once having access to the vehicle
network, an attacker often has as many possibilities for influence as the vehicle owner or an
authorized workshop. These internal networks consist of specialized automotive components,
are often not sufficiently segmented or secured, and messages are transmitted unencrypted.
Combining security and automotive real-time systems is challenging in many ways. The
heterogeneity and complexity of automotive communication systems and their interconnections
make the quantification of security a difficult task. Lower computational capabilities and network
bandwidth, coupled with the real-time behavior in automotive systems makes implementation
of computation and bandwidth intensive security challenging. New solutions are required
to address security in the automotive domain in context of not only functional, but also real-time
requirements.
This thesis explores approaches to (1) analyze security of in-vehicle networks at design
time, (2) secure network traffic efficiently through authentication and authorization at runtime,
and (3) enable security on legacy communication systems. These approaches are motivated in
context of the infotainment system of an electric taxi. The interaction of passengers with the
infotainment system opens an attack vector on safety-critical in-vehicle systems and requires
security to be a priority.
The first approach targets the problem of quantifying the security of architectures and forms
the basis for evaluation of all other approaches. It is not straightforward to evaluate the security
of a network. No method to quantify the security of automotive networks currently exists. In
this thesis, the Security Analysis for Automotive Networks (SAAN) is proposed. SAAN uses
probabilistic model checking to calculate the security of automotive networks, based on the
architecture and expert evaluations of components. Evaluations of SAAN prove its capabilities
to detect security flaws and compare automotive architectures in terms of security. SAAN
employs an automotive-specific model generation, taking into account the specific security dependencies
in the automotive architecture. These dependencies are formulated as rules and form
the basis for state-space reduction in the model. By reducing the model size, the performance
of the model checking can be improved by two to three orders of magnitude over state of the art
model generation.
After establishing the ability to analyze networks for security, the second approach is centered
around securing in-vehicle network traffic efficiently. To secure traffic, it is required
to authenticate communication participants and authorize messages. This is typically ensured
by authentication frameworks. Traditional authentication frameworks have high computation
and bandwidth requirements, incompatible with automotive networks. This thesis proposes the
Lightweight Authentication for Secure Automotive Networks (LASAN). LASAN is specifically
tuned to the automotive environment, leveraging on the fixed network structure to reduce
evitable flexibility in the protocols and minimize message sizes and thus bandwidth requirements.
Splitting asymmetric and symmetric protocol components distributes the computational
requirements and thus reduces the delays in time-critical phases of the system. Evaluations
show improvements of setup latency of two to three orders of magnitude over the state of the
art. Besides improved efficiency, LASAN can be easily integrated with existing automotive
processes, such as Over-The-Air (OTA) updates or workshop maintenance and repair.
The third approach targets the problem of security in legacy communication systems. Existing
time-triggered communication systems, such as FlexRay, are highly limited in their flexibility
regarding message lengths and transmission times. This limits the entropy available for
security, allowing brute-force attacks on cryptographic keys, effectively rendering employed
security mechanisms useless. The policy-based scheduling for FlexRay presented in this thesis
enables a higher flexibility for messages on the bus by abstracting the bond between timetriggered
slots and messages. Messages are flexibly arranged in a virtual communication layer,
before being divided into slots. Thus, messages can be transmitted priority-based and messages
longer than one slot lengths can be transmitted. This allows the implementation of authentication
frameworks and increases the available entropy per message through enlargement, supporting
encryption efficiently. Through the underlying time-triggered system, worst-case response
times can be calculated efficiently. Evaluations show improvements in message transmission
latencies by close to one order of magnitude over conventional FlexRay scheduling. At the
same time, flexibility for message sizes and periods is increased significantly.
The security approaches in this thesis are closely linked. Without a flexible message transmission
scheme, authentication protocols cannot be implemented. Without an evaluation option
for security, quantifying the impact of an authentication framework is highly complicated. Without
an authentication framework, secure setup of architectures is not possible. The proposed
approaches spans across both the design time and runtime aspects of automotive communication
system development. A tight integration is key to security in automotive networks. This
thesis lays the groundwork for this. |
---|